Obfuscate calendar key (#38687)

Author: mostlikelee

changes/13800-obfuscate-calendar-key

@@ -0,0 +1 @@
+* the google calendar intergration api key json is now obfuscated in GET requests 

cmd/fleetctl/fleetctl/gitops_test.go

@@ -1116,7 +1116,7 @@ func TestGitOpsFullGlobal(t *testing.T) {
 	assert.Len(t, appliedMacProfiles, 1)
 	assert.Len(t, appliedWinProfiles, 1)
 	require.Len(t, savedAppConfig.Integrations.GoogleCalendar, 1)
-	assert.Equal(t, "service@example.com", savedAppConfig.Integrations.GoogleCalendar[0].ApiKey["client_email"])
+	assert.Equal(t, "service@example.com", savedAppConfig.Integrations.GoogleCalendar[0].ApiKey.Values["client_email"])
 	assert.True(t, savedAppConfig.ActivityExpirySettings.ActivityExpiryEnabled)
 	assert.Equal(t, 60, savedAppConfig.ActivityExpirySettings.ActivityExpiryWindow)
 	assert.True(t, savedAppConfig.ServerSettings.AIFeaturesDisabled)

ee/server/calendar/google_calendar.go

@@ -72,9 +72,9 @@ func NewGoogleCalendar(config *GoogleCalendarConfig) *GoogleCalendar {
 	switch {
 	case config.API != nil:
 		// Use the provided API.
-	case config.IntegrationConfig.ApiKey[fleet.GoogleCalendarEmail] == loadEmail:
+	case config.IntegrationConfig.ApiKey.Values[fleet.GoogleCalendarEmail] == loadEmail:
 		config.API = &GoogleCalendarLoadAPI{Logger: config.Logger}
-	case config.IntegrationConfig.ApiKey[fleet.GoogleCalendarEmail] == MockEmail:
+	case config.IntegrationConfig.ApiKey.Values[fleet.GoogleCalendarEmail] == MockEmail:
 		config.API = &GoogleCalendarMockAPI{config.Logger}
 	default:
 		config.API = &GoogleCalendarLowLevelAPI{logger: config.Logger}
@@ -283,8 +283,8 @@ func (lowLevelAPI *GoogleCalendarLowLevelAPI) withRetry(fn func() (any, error))
 func (c *GoogleCalendar) Configure(userEmail string) error {
 	adjustedUserEmail := adjustEmail(userEmail)
 	err := c.config.API.Configure(
-		c.config.Context, c.config.IntegrationConfig.ApiKey[fleet.GoogleCalendarEmail],
-		c.config.IntegrationConfig.ApiKey[fleet.GoogleCalendarPrivateKey], adjustedUserEmail,
+		c.config.Context, c.config.IntegrationConfig.ApiKey.Values[fleet.GoogleCalendarEmail],
+		c.config.IntegrationConfig.ApiKey.Values[fleet.GoogleCalendarPrivateKey], adjustedUserEmail,
 		c.config.ServerURL,
 	)
 	if err != nil {

ee/server/calendar/google_calendar_integration_test.go

@@ -57,10 +57,10 @@ func (s *googleCalendarIntegrationTestSuite) TestCreateGetDeleteEvent() {
 		Context: context.Background(),
 		IntegrationConfig: &fleet.GoogleCalendarIntegration{
 			Domain: "example.com",
-			ApiKey: map[string]string{
+			ApiKey: fleet.GoogleCalendarApiKey{Values: map[string]string{
 				"client_email": loadEmail,
 				"private_key":  s.server.URL,
-			},
+			}},
 		},
 		Logger: kitlog.NewLogfmtLogger(kitlog.NewSyncWriter(os.Stdout)),
 	}
@@ -124,10 +124,10 @@ func (s *googleCalendarIntegrationTestSuite) TestFillUpCalendar() {
 		Context: context.Background(),
 		IntegrationConfig: &fleet.GoogleCalendarIntegration{
 			Domain: "example.com",
-			ApiKey: map[string]string{
+			ApiKey: fleet.GoogleCalendarApiKey{Values: map[string]string{
 				"client_email": loadEmail,
 				"private_key":  s.server.URL,
-			},
+			}},
 		},
 		Logger: kitlog.NewLogfmtLogger(kitlog.NewSyncWriter(os.Stdout)),
 	}

ee/server/calendar/google_calendar_test.go

@@ -137,10 +137,10 @@ func makeConfig(mockAPI *MockGoogleCalendarLowLevelAPI) *GoogleCalendarConfig {
 	config := &GoogleCalendarConfig{
 		Context: context.Background(),
 		IntegrationConfig: &fleet.GoogleCalendarIntegration{
-			ApiKey: map[string]string{
+			ApiKey: fleet.GoogleCalendarApiKey{Values: map[string]string{
 				fleet.GoogleCalendarEmail:      baseServiceEmail,
 				fleet.GoogleCalendarPrivateKey: basePrivateKey,
-			},
+			}},
 		},
 		Logger:    logger,
 		API:       mockAPI,

frontend/interfaces/integration.ts

@@ -63,7 +63,7 @@ export interface IIntegrationFormErrors {
 
 export interface IGlobalCalendarIntegration {
   domain: string;
-  api_key_json: string;
+  api_key_json: Record<string, string>;
 }
 
 interface ITeamCalendarSettings {

frontend/pages/admin/IntegrationsPage/cards/Calendars/Calendars.tsx

@@ -7,6 +7,7 @@ import { NotificationContext } from "context/notification";
 import { AppContext } from "context/app";
 import configAPI from "services/entities/config";
 import paths from "router/paths";
+import { UNCHANGED_PASSWORD_API_RESPONSE } from "utilities/constants";
 
 // @ts-ignore
 import InputField from "components/forms/fields/InputField";
@@ -46,6 +47,17 @@ const API_KEY_JSON_PLACEHOLDER = `{
   "universe_domain": "googleapis.com"
 }`;
 
+// Check if the API key JSON object contains obfuscated values
+const isObfuscatedApiKey = (apiKeyJson: Record<string, string>): boolean => {
+  if (!apiKeyJson || Object.keys(apiKeyJson).length === 0) {
+    return false;
+  }
+  // If all values are "********", the API key is obfuscated
+  return Object.values(apiKeyJson).every(
+    (value) => value === UNCHANGED_PASSWORD_API_RESPONSE
+  );
+};
+
 interface ICalendarsFormErrors {
   domain?: string | null;
   apiKeyJson?: string | null;
@@ -87,16 +99,27 @@ const Calendars = (): JSX.Element => {
   } = useQuery<IConfig, Error, IConfig>(["config"], () => configAPI.loadAll(), {
     select: (data: IConfig) => data,
     onSuccess: (data) => {
-      if (data.integrations.google_calendar) {
-        setFormData({
-          domain: data.integrations.google_calendar[0].domain,
-          // Formats string for better UI readability
-          apiKeyJson: JSON.stringify(
-            data.integrations.google_calendar[0].api_key_json,
-            null,
-            "\t"
-          ),
-        });
+      if (
+        Array.isArray(data.integrations.google_calendar) &&
+        data.integrations.google_calendar.length > 0
+      ) {
+        const apiKeyJsonObj = data.integrations.google_calendar[0].api_key_json;
+
+        // Check if the API key is obfuscated
+        if (isObfuscatedApiKey(apiKeyJsonObj)) {
+          // Show masked value in UI
+          setFormData({
+            domain: data.integrations.google_calendar[0].domain,
+            apiKeyJson: UNCHANGED_PASSWORD_API_RESPONSE,
+          });
+        } else {
+          // Show the actual API key JSON
+          setFormData({
+            domain: data.integrations.google_calendar[0].domain,
+            // Formats string for better UI readability
+            apiKeyJson: JSON.stringify(apiKeyJsonObj, null, "\t"),
+          });
+        }
       }
     },
   });
@@ -115,7 +138,11 @@ const Calendars = (): JSX.Element => {
     if (!curFormData.domain && !!curFormData.apiKeyJson) {
       errors.domain = "Domain must be completed";
     }
-    if (curFormData.apiKeyJson) {
+    // Skip JSON validation if the value is the masked placeholder
+    if (
+      curFormData.apiKeyJson &&
+      curFormData.apiKeyJson !== UNCHANGED_PASSWORD_API_RESPONSE
+    ) {
       try {
         JSON.parse(curFormData.apiKeyJson);
       } catch (e: unknown) {
@@ -150,16 +177,33 @@ const Calendars = (): JSX.Element => {
 
     evt.preventDefault();
 
+    // Determine the API key to submit
+    let apiKeyToSubmit;
+    if (formData.apiKeyJson === UNCHANGED_PASSWORD_API_RESPONSE) {
+      // User didn't change the masked value, don't send it (backend will preserve existing)
+      apiKeyToSubmit = undefined;
+    } else if (
+      formData.apiKeyJson &&
+      formData.apiKeyJson !== UNCHANGED_PASSWORD_API_RESPONSE
+    ) {
+      // User provided a new API key
+      apiKeyToSubmit = JSON.parse(formData.apiKeyJson);
+    } else {
+      // No API key
+      apiKeyToSubmit = null;
+    }
+
     // Format for API
     const formDataToSubmit =
-      formData.apiKeyJson === "" && formData.domain === ""
+      apiKeyToSubmit === null && formData.domain === ""
         ? [] // Send empty array if no keys are set
         : [
             {
               domain: formData.domain,
-              api_key_json:
-                (formData.apiKeyJson && JSON.parse(formData.apiKeyJson)) ||
-                null,
+              // Only include api_key_json if it's not undefined (masked value not changed)
+              ...(apiKeyToSubmit !== undefined && {
+                api_key_json: apiKeyToSubmit,
+              }),
             },
           ];
 
@@ -282,6 +326,11 @@ const Calendars = (): JSX.Element => {
                       inputClassName={`${baseClass}__api-key-json`}
                       error={formErrors.apiKeyJson}
                       disabled={gomEnabled}
+                      helpText={
+                        apiKeyJson === UNCHANGED_PASSWORD_API_RESPONSE
+                          ? "API key is configured. Replace with a new key to update."
+                          : undefined
+                      }
                     />
                     <InputField
                       label="Primary domain"

frontend/pages/admin/IntegrationsPage/cards/CertificateAuthorities/components/EditCertAuthorityModal/helpers.tsx

@@ -6,6 +6,7 @@ import {
   ICertificatesCustomSCEP,
 } from "interfaces/certificates";
 import deepDifference from "utilities/deep_difference";
+import { UNCHANGED_PASSWORD_API_RESPONSE } from "utilities/constants";
 
 import { ICertFormData } from "../AddCertAuthorityModal/AddCertAuthorityModal";
 import { getDisplayErrMessage } from "../AddCertAuthorityModal/helpers";
@@ -16,8 +17,6 @@ import { IHydrantFormData } from "../HydrantForm/HydrantForm";
 import { ISmallstepFormData } from "../SmallstepForm/SmallstepForm";
 import { ICustomESTFormData } from "../CustomESTForm/CustomESTForm";
 
-const UNCHANGED_PASSWORD_API_RESPONSE = "********";
-
 export const generateDefaultFormData = (
   certAuthority: ICertificateAuthority
 ): ICertFormData => {

frontend/utilities/constants.tsx

@@ -10,6 +10,8 @@ import { IHost } from "interfaces/host";
 const { origin } = global.window.location;
 export const BASE_URL = `${origin}${URL_PREFIX}/api`;
 
+export const UNCHANGED_PASSWORD_API_RESPONSE = "********";
+
 export enum PolicyResponse {
   PASSING = "passing",
   FAILING = "failing",

server/cron/calendar_cron_test.go

@@ -234,9 +234,9 @@ func TestCalendarEventsMultipleHosts(t *testing.T) {
 				GoogleCalendar: []*fleet.GoogleCalendarIntegration{
 					{
 						Domain: "example.com",
-						ApiKey: map[string]string{
+						ApiKey: fleet.GoogleCalendarApiKey{Values: map[string]string{
 							fleet.GoogleCalendarEmail: "calendar-mock@example.com",
-						},
+						}},
 					},
 				},
 			},
@@ -420,9 +420,9 @@ func TestCalendarEvents1KHosts(t *testing.T) {
 				GoogleCalendar: []*fleet.GoogleCalendarIntegration{
 					{
 						Domain: "example.com",
-						ApiKey: map[string]string{
+						ApiKey: fleet.GoogleCalendarApiKey{Values: map[string]string{
 							fleet.GoogleCalendarEmail: "calendar-mock@example.com",
-						},
+						}},
 					},
 				},
 			},
@@ -753,9 +753,9 @@ func TestEventBody(t *testing.T) {
 				GoogleCalendar: []*fleet.GoogleCalendarIntegration{
 					{
 						Domain: "example.com",
-						ApiKey: map[string]string{
+						ApiKey: fleet.GoogleCalendarApiKey{Values: map[string]string{
 							fleet.GoogleCalendarEmail: "calendar-mock@example.com",
-						},
+						}},
 					},
 				},
 			},